can't build 1.5 with --enable-static

[Andreas Hasenack]

building static db library
set -x; objlist=`set -x && perl -p -e 'BEGIN { $SIG{__WARN__} = sub {die 
@_} }; $e=$ARGV; $e =~ s/OBJS\...$//; s/^/ /; s/ $//; s/ / $e/g;' 
hash/OBJS.ST btree/OBJS.ST db/OBJS.ST mpool/OBJS.ST recno/OBJS.ST 
clib/OBJS.ST` && ar cq libdb.a $objlist
++ set -x
++ perl -p -e 'BEGIN { $SIG{__WARN__} = sub {die @_} }; $e=$ARGV; $e =~ 
s/OBJS\...$//; s/^/ /; s/ $//; s/ / $e/g;' hash/OBJS.ST btree/OBJS.ST 
db/OBJS.ST mpool/OBJS.ST recno/OBJS.ST clib/OBJS.ST
Can't open hash/OBJS.ST: No such file or directory.
+ objlist=
make[2]: *** [libdb.a] Error 2
make[2]: Leaving directory 
`/build/svn/krb5/BUILD/krb5-1.5/src/plugins/kdb/db2/libdb2'


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: unix active directory

[Quanah Gibson-Mount]

"Tim Alsop" <[EMAIL PROTECTED]> writes:

> Michael,
> I suggest you take a look at XAD (www.padl.com). This is a product that
> runs on Linux, and looks like an Active Directory domain controller.

PADL pulled XAD from its website for reasons not yet announced.  Maybe
Luke Howard will want to comment (or maybe not. ;) ).

--Quanah


-- 
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: unix active directory

[Thomas A. La Porte]

I was going to make the identical suggestion, however, when I 
went looking on the PADL website, mention of XAD was nowhere to 
be found. A search of the site turns up references to XAD, 
however, they either lead to 404s or to redirects to the main 
product page.

Perhaps XAD is being shelved?

  -- Tom

Thomas A. La Porte, DreamWorks Animation


On Wed, 9 Aug 2006, Tim Alsop wrote:

> Michael,
>
> I suggest you take a look at XAD (www.padl.com). This is a product that
> runs on Linux, and looks like an Active Directory domain controller.
>
> Cheers,
> Tim
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Michael B Allen
> Sent: 09 August 2006 20:33
> To: Shawn Wilson
> Cc: kerberos@mit.edu
> Subject: Re: unix active directory
>
> Hi Shawn,
>
> Active Directory is the name of Microsoft's KDC/LDAP server. So there's
> no such thing as "Active Directory server on linux". You could setup a
> KDC (MIT, Heimdal, etc) or an LDAP server (OpenLDAP, Fedora Directory
> Server) on your Linux machine but even if you managed to get them
> to work together well, you still wouldn't have anything like "Active
> Directory". The closest thing to AD on linux would be Samba4 but that's
> not quite ready for production environments.
>
> Also, unless you have a specific question about Kerberos I think
> responses
> here will be limited [1].
>
> Mike
>
> [1] I pleased to see that this list is very tolerant of posts about
> "Active Directory". Apparently the OpenLDAP-software list automatically
> censors any post containing the term (e.g. my sig).
>
> On Wed, 9 Aug 2006 09:46:47 -0700 (PDT)
> Shawn Wilson <[EMAIL PROTECTED]> wrote:
>
>> I am interested in getting an Active Directory server setup on a linux
> (Ubuntu)
>> server. I currently just have a samba file server, ntp, and dns setup
> on this
>> server. I don't have any Windows 2k/XP servers here.
>>
>> I have found many howtos and other docs on kerberos, ldap, and samba.
> However
>> my question is where to start. In theory, what I was looking for was a
> cookie
>> cutter solution to getting an Active Directory server setup on Unix.
> However
>> aside from that, I was wondering where I should start.
>>
>> One more point of woe for me is that I don't have a FQDN. I was
> advised that I
>> could just make one on my dns and setup dhcp to make sure those hosts
> used my
>> dns and be fine with that. I was wondering if this is possible?
>>
>> Also, though I have googled and have a bit more than a half dozen
> pages along
>> this topic bookmarked, any resources that anyone could recommend would
> be
>> appreciated.
>>
>>
>>
>> thanx
>> darkhaven (aka - shawn wilson / ag4ve)
>>
>> __
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: unix active directory

[Tim Alsop]

Michael,

I suggest you take a look at XAD (www.padl.com). This is a product that
runs on Linux, and looks like an Active Directory domain controller.

Cheers,
Tim 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Michael B Allen
Sent: 09 August 2006 20:33
To: Shawn Wilson
Cc: kerberos@mit.edu
Subject: Re: unix active directory

Hi Shawn,

Active Directory is the name of Microsoft's KDC/LDAP server. So there's
no such thing as "Active Directory server on linux". You could setup a
KDC (MIT, Heimdal, etc) or an LDAP server (OpenLDAP, Fedora Directory
Server) on your Linux machine but even if you managed to get them
to work together well, you still wouldn't have anything like "Active
Directory". The closest thing to AD on linux would be Samba4 but that's
not quite ready for production environments.

Also, unless you have a specific question about Kerberos I think
responses
here will be limited [1].

Mike

[1] I pleased to see that this list is very tolerant of posts about
"Active Directory". Apparently the OpenLDAP-software list automatically
censors any post containing the term (e.g. my sig).

On Wed, 9 Aug 2006 09:46:47 -0700 (PDT)
Shawn Wilson <[EMAIL PROTECTED]> wrote:

> I am interested in getting an Active Directory server setup on a linux
(Ubuntu)
> server. I currently just have a samba file server, ntp, and dns setup
on this
> server. I don't have any Windows 2k/XP servers here.
> 
> I have found many howtos and other docs on kerberos, ldap, and samba.
However
> my question is where to start. In theory, what I was looking for was a
cookie
> cutter solution to getting an Active Directory server setup on Unix.
However
> aside from that, I was wondering where I should start.
> 
> One more point of woe for me is that I don't have a FQDN. I was
advised that I
> could just make one on my dns and setup dhcp to make sure those hosts
used my
> dns and be fine with that. I was wondering if this is possible?
> 
> Also, though I have googled and have a bit more than a half dozen
pages along
> this topic bookmarked, any resources that anyone could recommend would
be
> appreciated.
> 
> 
> 
> thanx
> darkhaven (aka - shawn wilson / ag4ve)
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


-- 

Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Jeffrey Hutzelman]

On Wednesday, August 09, 2006 02:55:05 PM -0500 "Douglas E. Engert" 
<[EMAIL PROTECTED]> wrote:

>> __gss_userok() is not; should it be?
>
> I would say yes. Every service needs to do this, and use the GSS creds
> to test if it can use the local resource. So it in that regards it is
> generic.

Actually, many services don't need to do this.  An SSH server may want a 
machenism-independent "userok" API to determine whether to allow access to 
a local account, but lots of services have nothing to do with local 
accounts.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 02:55:05PM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >gss_store_cred() is a KITTEN WG work item.
> >
> >__gss_userok() is not; should it be? 
> 
> I would say yes. Every service needs to do this, and use the GSS creds
> to test if it can use the local resource. So it in that regards it is
> generic.

Hmmm.  We're working to push authorization of GSS-API principals and
handling of delegated credentials to PAM.  So, we're working to make
public gss_userok() and gss_store_cred() interfaces unnecessary...

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Nicolas Williams wrote:

> On Wed, Aug 09, 2006 at 02:26:57PM -0500, Douglas E. Engert wrote:
> 
>>
>>Nicolas Williams wrote:
>>
>>
>>>On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
>>>
>>>
Markus Moeller wrote:


>There shouldn't be the need of compiling openssh with Kerberos as the 
>Solaris 10 version supports GSSAPI authentication.

Yes and no. Until you want to store the delegated credential or do a
krb5_userok test.
>>>
>>>
>>>Solaris' sshd does this using __gss_userok() and gss_store_cred().
>>
>>Good, and that was what I was trying to the kerberos working group
>>interested in before Kitten was started.
> 
> 
> gss_store_cred() is a KITTEN WG work item.
> 
> __gss_userok() is not; should it be? 

I would say yes. Every service needs to do this, and use the GSS creds
to test if it can use the local resource. So it in that regards it is
generic.


  It depends on a notion of "user
> account," and so it's rather not so generic.  But we could have an
> individual submission draft targetting Informational status for
> "gss_userok()"...  Comments?
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Erich Weiler wrote:


> 
> 1: I want SSH to automatically forward my krb5 credentials when I SSH 
> into another machine using public keys.
> 

Don't think OpenSSH will do this either with out mods.


> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: unix active directory

[Michael B Allen]

Hi Shawn,

Active Directory is the name of Microsoft's KDC/LDAP server. So there's
no such thing as "Active Directory server on linux". You could setup a
KDC (MIT, Heimdal, etc) or an LDAP server (OpenLDAP, Fedora Directory
Server) on your Linux machine but even if you managed to get them
to work together well, you still wouldn't have anything like "Active
Directory". The closest thing to AD on linux would be Samba4 but that's
not quite ready for production environments.

Also, unless you have a specific question about Kerberos I think responses
here will be limited [1].

Mike

[1] I pleased to see that this list is very tolerant of posts about
"Active Directory". Apparently the OpenLDAP-software list automatically
censors any post containing the term (e.g. my sig).

On Wed, 9 Aug 2006 09:46:47 -0700 (PDT)
Shawn Wilson <[EMAIL PROTECTED]> wrote:

> I am interested in getting an Active Directory server setup on a linux 
> (Ubuntu)
> server. I currently just have a samba file server, ntp, and dns setup on this
> server. I don't have any Windows 2k/XP servers here.
> 
> I have found many howtos and other docs on kerberos, ldap, and samba. However
> my question is where to start. In theory, what I was looking for was a cookie
> cutter solution to getting an Active Directory server setup on Unix. However
> aside from that, I was wondering where I should start.
> 
> One more point of woe for me is that I don't have a FQDN. I was advised that I
> could just make one on my dns and setup dhcp to make sure those hosts used my
> dns and be fine with that. I was wondering if this is possible?
> 
> Also, though I have googled and have a bit more than a half dozen pages along
> this topic bookmarked, any resources that anyone could recommend would be
> appreciated.
> 
> 
> 
> thanx
> darkhaven (aka - shawn wilson / ag4ve)
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 02:26:57PM -0500, Douglas E. Engert wrote:
> 
> 
> Nicolas Williams wrote:
> 
> >On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
> >
> >>Markus Moeller wrote:
> >>
> >>>There shouldn't be the need of compiling openssh with Kerberos as the 
> >>>Solaris 10 version supports GSSAPI authentication.
> >>
> >>Yes and no. Until you want to store the delegated credential or do a
> >>krb5_userok test.
> >
> >
> >Solaris' sshd does this using __gss_userok() and gss_store_cred().
> 
> Good, and that was what I was trying to the kerberos working group
> interested in before Kitten was started.

gss_store_cred() is a KITTEN WG work item.

__gss_userok() is not; should it be?  It depends on a notion of "user
account," and so it's rather not so generic.  But we could have an
individual submission draft targetting Informational status for
"gss_userok()"...  Comments?

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Nicolas Williams wrote:

> On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
> 
>>Markus Moeller wrote:
>>
>>>There shouldn't be the need of compiling openssh with Kerberos as the 
>>>Solaris 10 version supports GSSAPI authentication.
>>
>>Yes and no. Until you want to store the delegated credential or do a
>>krb5_userok test.
> 
> 
> Solaris' sshd does this using __gss_userok() and gss_store_cred().

Good, and that was what I was trying to the kerberos working group
interested in before Kitten was started.

> 
> 
>>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>>authz function or a way to save the delegated creds.
>>
>>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>>approach too, then it would not need Kerberos specific code either.
> 
> 
> No, Solaris 10's sshd does not use PAM to do these two tasks.
> OpenSolaris' sshd will, however, soon enough.
> 
> Nico

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Jeffrey Hutzelman]

On Wednesday, August 09, 2006 11:56:07 AM -0500 Nicolas Williams 
<[EMAIL PROTECTED]> wrote:

> On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
>> I am getting credentials through PAM.  That much is working.  My
>> problem, very specifically, is that:
>>
>> 1: I want SSH to automatically forward my krb5 credentials when I SSH
>> into another machine using public keys.
>
> This makes no sense.  Why use public key authentication when you have
> Kerberos V?

I can see reasons why you might want to do that.  For example, your 
Kerberos credentials might not be sufficient to allow access to the remove 
machine.  However, that's beside the point.  You can't do this, no matter 
what implementation you use, because there is no provision in the SSH 
protocol to allow this -- delegation of GSS-API credentials requires the 
use of GSS-API key exchange or user authentication using the credentials 
you wish to delegate.  From a protocol standpoint, either is sufficient, 
though some implementations may not support credential delegation with 
GSS-API key exchange (stock OpenSSH doesn't support GSS-API key exchange at 
all, but the sun one does).


>> 2: I don't want to use Sun SSH; I would rather use OpenSSH.  The reasons
>> for this are not applicable to this discussion.
>
> I thought they were.  You seemed to think that SUNWssh didn't support
> something that it does support.

I have to agree with Nico here.  You've said that the reason you want to 
build OpenSSH instead of using Sun's version is to get credential 
delegation.  Sun's SSH does this, and in fact has better support overall 
for both GSS-API and PAM than does OpenSSH.

-- Jeff

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: PAM hangs after authenticating against 2003 AD

[Sensei]

On 2006-08-09 12:21:56 +0200, "Jesper Angelo" <[EMAIL PROTECTED]> said:

> Account: newbie ( Created on both AD and local (/etc/passwd) )

Well, what I intended was to create a local user and then kinit to a 
principal. So on unix ``localuser'' and on AD ``aduser''.

> Login with pam_unix yields: [...]
> Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
> newbie): exit: failure

Remove the pam module from the configuration, and login /locally/. You 
have a kerberos trouble probably.

> Then i kinit... AD says its a success and I get ticket (and it doesnt
> get deleted for a loong time).
> 
> Funny enough - logfile shows nothing :-/ (Even if I kdestory followed
> by kinit...)

These applications don't log, sorry.

> The login freezes in the sense that nothing happens. If I press CTRL-C,
> it exits back to prompt.

Mmh...

> I seems like it authorizes, and then dont know what to do next, thus
> times out after 60 seconds...?
> 
> 
> hope it makes sense :-)

Clear the auth log and login as I said /locally/ with a /pure/ /local/ 
user. See what happens working with this user. If you can work and 
you're not kicked out, then kinit to a principal, noting what klist 
(klist -aef --- if you want).

Then, if you /can/ kinit /and/ work with a local user, post the pam and 
kerberos configuration files.

-- 
Sensei <[EMAIL PROTECTED]>

The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true.  [J. Robert Oppenheimer]


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: PAM hangs after authenticating against 2003 AD

[Jesper Angelo]

Account: newbie ( Created on both AD and local (/etc/passwd) )

Login with pam_unix yields:

==> /var/log/auth.log <==
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): krb5_get_init_creds_password():
Preauthentication failed
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): exit: failure
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): krb5_get_init_creds_password():
Preauthentication failed
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_authenticate(login newbie): exit: failure
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_acct_mgmt(login newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5:
pam_sm_acct_mgmt(login newbie): ccache: not found
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): pam_get_data(): No module specific data is present
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): exit: failure
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): pam_get_data(): No module specific data is present
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): exit: failure
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): entry:
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): pam_get_data(): No module specific data is present
Aug  9 11:51:11 localhost login[15519]: pam_krb5: pam_sm_setcred(login
newbie): exit: failure


Then i kinit... AD says its a success and I get ticket (and it doesnt
get deleted for a loong time).

Funny enough - logfile shows nothing :-/ (Even if I kdestory followed
by kinit...)

The login freezes in the sense that nothing happens. If I press CTRL-C,
it exits back to prompt.

I seems like it authorizes, and then dont know what to do next, thus
times out after 60 seconds...?


hope it makes sense :-)


Jesper Angelo



Sensei wrote:
> On 2006-08-08 15:03:46 +0200, "Jesper Angelo" <[EMAIL PROTECTED]> said:
>
> > Additional info:
> >
> > Local login works using pam_unix...
> >
> > Even if I put pam_unix to be optional (ie all passwords are accepted)
> > it works - except if I put in the right password from the AD.
> >
> > So its something with the kerberos process in pam_krb5...
>
> Make a local user, login with this new guy and kinit to AD, get any log
> you can if something goes wrong. Work for some time to make sure you're
> not kicked out of the system (I understand this is what happens)
> collecting logs.
>
> Make clear what you mean by ``hangs for 30 secs''. Do you mean that it
> actually *freezes*? Can you type in the console?
>
> --
> Sensei <[EMAIL PROTECTED]>
>
> The optimist thinks this is the best of all possible worlds.
> The pessimist fears it is true.  [J. Robert Oppenheimer]


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Having some kerberos problem

[Viswanath Thangamuthu]

I am getting some errors related with kerberos such that  after su to some
KRB5LDAP users I am creating files and then setting acls to that  files
but the files are creating  with "nobody nobody" in the user and group
field instead of creating with actual user and group name.And then I am
trying to set acls using aclput command and it is failing with the
following errors aclput:operation not permitted.

NOTE:  I am executing testcase through the client machine which is having
kerberos client  and LDAP client setup.And also it is a NFS client.


More details
==
The domain and realm are same on both server and client .Here is the
reference

On Server
=
realm4.austin.ibm.com nfsdom4.austin.ibm.com

On Client

realm4.austin.ibm.com nfsdom04.austin.ibm.com

Earlier It was realm4.austin.ibm.com  nfsdom3.austin.ibm.com.later I
changed the domain to nfsdom4 (for debugging)  stopped the nfsrgyd daemon
and started it again.Then tried su to user created files got the same
"nobody nobody" in the user and group field.

On client t I mounted filesystem with the following options

 mount -o sec=krb5,acl,vers=4 serverf:/nfstest/nfs_usr_grp /mnt  === NFSv4


Server = LDAP server , kerberos server with LDAP as back-end ,LDAP client
and kerberos client with LDAP as back-end , NFS server as well.
Client = LDAP client ,kerberos client with LDAP as back-end and NFS client
as well.

Pls suggest on this .Thanks in advance.

Thanks & Regards,
Viswanath.T
--
Viswanath Thangamuthu,
AIX UPT Team,IBM India Software Lab,
EGL 7D, Off Indiranager-Koramangla Ring Road,
Bangalore 560071.
Phone:41777507  Internal Ext: 77507
--


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 09:52:51AM -0500, Douglas E. Engert wrote:
> Markus Moeller wrote:
> > There shouldn't be the need of compiling openssh with Kerberos as the 
> > Solaris 10 version supports GSSAPI authentication.
> 
> Yes and no. Until you want to store the delegated credential or do a
> krb5_userok test.

Solaris' sshd does this using __gss_userok() and gss_store_cred().

> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
> authz function or a way to save the delegated creds.
> 
> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
> approach too, then it would not need Kerberos specific code either.

No, Solaris 10's sshd does not use PAM to do these two tasks.
OpenSolaris' sshd will, however, soon enough.

Nico
-- 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 09:36:30AM -0700, Erich Weiler wrote:
> I am getting credentials through PAM.  That much is working.  My 
> problem, very specifically, is that:
> 
> 1: I want SSH to automatically forward my krb5 credentials when I SSH 
> into another machine using public keys.

This makes no sense.  Why use public key authentication when you have
Kerberos V?

> 2: I don't want to use Sun SSH; I would rather use OpenSSH.  The reasons 
> for this are not applicable to this discussion.

I thought they were.  You seemed to think that SUNWssh didn't support
something that it does support.

> 3: OpenSSH can't forward Kerberos credentials without actually being 
> compiled against some sort of GSS-API, which I can't seem to do under 
> Solaris.

OpenSSH wants to use non-GSS-API, krb5 API functions that Solaris has
not made public until recent OpenSolaris builds and, I think, the latest
S10 update.

In any case, the OpenSSH autoconf scripts (configure.ac) probably don't
know how to find the Solaris GSS-API library and header files.  That
would be a bug/missing feature in OpenSSH.

Nico
-- 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

unix active directory

[Shawn Wilson]

I am interested in getting an Active Directory server setup on a linux (Ubuntu)
server. I currently just have a samba file server, ntp, and dns setup on this
server. I don't have any Windows 2k/XP servers here.

I have found many howtos and other docs on kerberos, ldap, and samba. However
my question is where to start. In theory, what I was looking for was a cookie
cutter solution to getting an Active Directory server setup on Unix. However
aside from that, I was wondering where I should start.

One more point of woe for me is that I don't have a FQDN. I was advised that I
could just make one on my dns and setup dhcp to make sure those hosts used my
dns and be fine with that. I was wondering if this is possible?

Also, though I have googled and have a bit more than a half dozen pages along
this topic bookmarked, any resources that anyone could recommend would be
appreciated.



thanx
darkhaven (aka - shawn wilson / ag4ve)

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Erich Weiler]

> You fundamentally misunderstand how network authentication and
> credential forwarding work.

No, I think I do understand it.  All you have written below are steps I 
have taken and am sorted with.  Perhaps I'm not making myself very clear 
in describing the problem I'm having (which I can certainly believe).

> PAM is orthogonal to your problem.

I am getting credentials through PAM.  That much is working.  My 
problem, very specifically, is that:

1: I want SSH to automatically forward my krb5 credentials when I SSH 
into another machine using public keys.

2: I don't want to use Sun SSH; I would rather use OpenSSH.  The reasons 
for this are not applicable to this discussion.

3: OpenSSH can't forward Kerberos credentials without actually being 
compiled against some sort of GSS-API, which I can't seem to do under 
Solaris.

 From what others have said, I'm out of luck in this regard.  Unless I 
compile MIT Kerberos as a standalone package and compile OpenSSH against 
that, I cannot hope to enable OpenSSH krb5 cred forwarding.  But I have 
reasons why I'd like to stick with Solaris SEAM.  Call me picky.  :)

ciao, erich

> 
> In order to use network authentication you first need credentials.  You
> acquire these using kinit(1) or when you login first using a PAM-aware
> login application whose PAM stack is configured to use pam_krb5(5).
> 
> (This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.)
> 
> Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate
> options.  The server has to have acceptor credentials, i.e., a
> host-based principal name for the service 'host' and valid keytab
> entries for these.
> 
> (Again, something similar goes for NIS+/DH.)
> 
> The client and server should negotiate the use of network authentication
> and the client should delegate credentials if a) you have forwardable
> tickets, b) use the appropriate option.
> 
> PAM barely enters the picture on the server-side, and you should not be
> prompted for any passwords.
> 
> So, what are you doing wrong?
> 
> Have you got a TGT on the client?  Is it forwardable?  See the kinit(1)
> man page and post klist(1) (klist -fea) output.
> 
> Does your server have a keytab file?  klist -ke please.  Are those
> keytab entries valid?  You can check this by doing something like:
> 
> # kinit -c /tmp/xyz123 -k host/
> # klist -fea -c /tmp/xyz123
> # kdestroy -c /tmp/xyz123
> 
> Now, if you address these issues and still have problems then ssh -vvv
> and sshd -ddd output may be useful.
> 
> # /usr/lib/ssh/sshd -dddp 
> ...
> 
> 
> % ssh -p  ...
> ...
> 
> Cheers,
> 
> Nico

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Nicolas Williams]

On Wed, Aug 09, 2006 at 08:24:22AM -0700, Erich Weiler wrote:
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine.  I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?

You fundamentally misunderstand how network authentication and
credential forwarding work.

PAM is orthogonal to your problem.

In order to use network authentication you first need credentials.  You
acquire these using kinit(1) or when you login first using a PAM-aware
login application whose PAM stack is configured to use pam_krb5(5).

(This also works with keylogin(1) and pam_dhkeys(5), if you use NIS+.)

Next you use telnet(1), ftp(1), ssh(1), etcetera, with appropriate
options.  The server has to have acceptor credentials, i.e., a
host-based principal name for the service 'host' and valid keytab
entries for these.

(Again, something similar goes for NIS+/DH.)

The client and server should negotiate the use of network authentication
and the client should delegate credentials if a) you have forwardable
tickets, b) use the appropriate option.

PAM barely enters the picture on the server-side, and you should not be
prompted for any passwords.

So, what are you doing wrong?

Have you got a TGT on the client?  Is it forwardable?  See the kinit(1)
man page and post klist(1) (klist -fea) output.

Does your server have a keytab file?  klist -ke please.  Are those
keytab entries valid?  You can check this by doing something like:

# kinit -c /tmp/xyz123 -k host/
# klist -fea -c /tmp/xyz123
# kdestroy -c /tmp/xyz123

Now, if you address these issues and still have problems then ssh -vvv
and sshd -ddd output may be useful.

# /usr/lib/ssh/sshd -dddp 
...


% ssh -p  ...
...

Cheers,

Nico
-- 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Another comment, if the problem is the Solaris 10 sshd is not saving
the forwarded credentials, it could be the pam.conf is not configured
correctly.  sshd calls pam with a number of different services names,
including sshd-password, sshd-gssapi, sshd-kdbint. (If one of these
is not found, other is used by pam :-( The man pages are not consistent
on the names actually used. You have to read the pam_krb5 and sshd pages
to figure this out.

The sshd does not set the KRB5CCNAME correctly either. We do this
with  pam_krb5_cache.so.1 ccache=/tmp/krb5cc_%u_%p  (user and PID)
to get session based credentials if possible. Works from sshd-gssapi,
but not from dtlogin where we are stuck with user basede credentials.


Sun needs to get their act together on this too. But I would
rather live with this then to have to build OpenSSH and MIT Kerberos
when Sun is so close.

Erich Weiler wrote:

>>With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>>ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>>authz function or a way to save the delegated creds.
>>
>>Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>>approach too, then it would not need Kerberos specific code either.
> 
> 
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine.  I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?
> 
> -erich
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Erich Weiler wrote:

>> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
>> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
>> authz function or a way to save the delegated creds.
>>
>> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
>> approach too, then it would not need Kerberos specific code either.
> 
> 
> The main reason I need to compile OpenSSH with krb5 is because the way I 
> have it working currently, OpenSSH using PAM, does not does _forward_ 
> krb5 creds when SSHing to another machine. 

You don't want it to forward?  or you do.
The Solaris 10 ssh_config GSSAPIDelegateCredentials option could be set
to not forward them.

If you do, could it be that the dtlogin is not getting forwardabel tickets?
What doe klist -f show?

Solaris looks a the krb5.conf file  at little differently
then MIT. dtlogin and pam_krb5 looks for forwardable = 1 in the [libdefault]
or [appdefault] sections. see the man pags.


> I have seen OpenSSH using 
> GSS-API auth forward creds successfully, but not using Solaris PAM... 
> Unless someone knows of a way I can forward kerberos TGTs using Solaris 
> PAM?
> 
> -erich
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Erich Weiler]

> With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
> ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
> authz function or a way to save the delegated creds.
> 
> Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
> approach too, then it would not need Kerberos specific code either.

The main reason I need to compile OpenSSH with krb5 is because the way I 
have it working currently, OpenSSH using PAM, does not does _forward_ 
krb5 creds when SSHing to another machine.  I have seen OpenSSH using 
GSS-API auth forward creds successfully, but not using Solaris PAM... 
Unless someone knows of a way I can forward kerberos TGTs using Solaris PAM?

-erich

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Markus Moeller wrote:

> There shouldn't be the need of compiling openssh with Kerberos as the 
> Solaris 10 version supports GSSAPI authentication.

Yes and no. Until you want to store the delegated credential or do a
krb5_userok test.

With OpenSSH-4.1 at least ssh_gssapi_krb5_storecreds and
ssh_gssapi_krb5_userok make krb5 API calls as gss never had a simple
authz function or a way to save the delegated creds.

Solaris 10's sshd uses PAM, to do these. OpenSSH should look at that
approach too, then it would not need Kerberos specific code either.


> 
> Markus
> 
> "Erich Weiler" <[EMAIL PROTECTED]> wrote in message 
> news:[EMAIL PROTECTED]
> 
>>Hi all-
>>
>>I'm not sure this is the correct place to post about this but I'm
>>getting no response over an OpenSSH.org, if there is a more appropriate
>>place to post please let me know...  And the people at Sun scream at me
>>for even considering openssh when they supply their own version of SSH
>>which I'm not extremely fond of.
>>
>>Basically I'd like to compile OpenSSH with Kerberos support on Solaris
>>10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works
>>great, no problem there.  My problem is:  Does anyone know how to
>>compile openssh on Solaris with native SEAM kerberos support?  There is
>>a --with-kerberos=/dir compile time option with openssh but Sun doesn't
>>seem the have a single "directory" that they keep their kerberos
>>libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?
>> Does anyone have any hints on this, or has anyone ever done it?  Or
>>maybe a better place to post?
>>
>>ciao, erich
>>
>>Kerberos mailing list   Kerberos@mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

Erich Weiler wrote:
> Hi all-
> 
> I'm not sure this is the correct place to post about this but I'm 
> getting no response over an OpenSSH.org, if there is a more appropriate 
> place to post please let me know...  And the people at Sun scream at me 
> for even considering openssh when they supply their own version of SSH 
> which I'm not extremely fond of.
> 
> Basically I'd like to compile OpenSSH with Kerberos support on Solaris 
> 10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works 
> great, no problem there.  My problem is:  Does anyone know how to 
> compile openssh on Solaris with native SEAM kerberos support? 

Yes and no. You can use the OpenSolaris header files and SEAM library
or, as Will pointed out, you can wait for Sun to release the API.

See the note below to this list from last year. There is no guarantee
that this will work, or that the OpenSolaris header files still match
what is in Solaris 10. But it is a start.

You will need something like
LDFLAGS="/usr/lib/gss/mech_krb5.so  -Wl,-R,/usr/lib/gss "
CFLAGS="-I/krb5/include"

I also copied the MIT com_err.h and profile.h from MIT to /krb5/include.

We use this with CVS, POP and OpenAFS aklog to get Kerberos support.

And we too are waiting for Sun to release a supported API with Solaris 10.


> There is 
> a --with-kerberos=/dir compile time option with openssh but Sun doesn't 
> seem the have a single "directory" that they keep their kerberos 
> libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?

Yes they gave a nice gssapi and we use that if possible.

>   Does anyone have any hints on this, or has anyone ever done it?  Or 
> maybe a better place to post?
> 
> ciao, erich
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
 Original Message 
Subject: Using Solaris 10 built in Kerberos support with Kerberos application
Date: Tue, 23 Aug 2005 14:20:21 -0500
From: Douglas E. Engert <[EMAIL PROTECTED]>
To: 'kerberos@mit.edu' 

In an attempt to use vendor provided Kerberos support where possible, we have
been able to use the Solaris 10 Kerberos and the Solaris provided kinit, 
pam_krb5
and ssh or any application that uses Kerberos via GSSAPI.

But we have a number of other Kerberos applications, including qpop for 
Kerberized
pop service, aklog with OpenAFS and kerberized CVS.

The problem is that Solaris only exposes Kerberos via GSSAPI, and does not
provide the krb5.h files or the normal Kerberos libraries.

*What I would like to ask SUN is to include the krb5.h and its friends with the
Solaris 10 base system.*

To get around this,
http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include
has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes
with Solaris 10.  (I actually downloaded the tarfile to get the header files.)

I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run
using this krb5.h with some modification, and the MIT-1.4.1 profile.h and 
com_err.h.

Some problems along the way:

   o mech_krb5.so has most of the Kerberos routines and can be used as a shared
 library, but is clumsy to link as its not a "libxxx"

   o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so

   o The krb5.h refers to profile.h  which is not supplied.

   o Many of the Kerberos applications also use com_err.h which is not supplied.

   o There is no com_err add_error_table.

   o Solaris does not have krb524. So aklog can not use this feature.

But so far it still looks promising to use the Solaris 10 Kerberos and we
are expecting that Sun will continue to improve the usability of their
Kerberos support.

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Douglas E. Engert]

P.S. I should say we are using the Solaris ssh and sshd, as well as
their pam_krb5. But there are issues with the pam_krb5 with using
session based caches rather then user, and updating of the TGT
but leaving older tickets in the cache.


Erich Weiler wrote:

> Hi all-
> 
> I'm not sure this is the correct place to post about this but I'm 
> getting no response over an OpenSSH.org, if there is a more appropriate 
> place to post please let me know...  And the people at Sun scream at me 
> for even considering openssh when they supply their own version of SSH 
> which I'm not extremely fond of.
> 
> Basically I'd like to compile OpenSSH with Kerberos support on Solaris 
> 10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works 
> great, no problem there.  My problem is:  Does anyone know how to 
> compile openssh on Solaris with native SEAM kerberos support?  There is 
> a --with-kerberos=/dir compile time option with openssh but Sun doesn't 
> seem the have a single "directory" that they keep their kerberos 
> libraries in...  Not even sure they have GSSAPI at all, maybe just GSS? 
>   Does anyone have any hints on this, or has anyone ever done it?  Or 
> maybe a better place to post?
> 
> ciao, erich
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with principal names

[Sebastian Hanigk]

[EMAIL PROTECTED] (Mordur Ingolfsson) writes:

Morning,

> I'm new to kerberos.  I wish to use Kerberos for password verification
> on a cyrus imap installation. My problem is, that since we serve
> multiple domains, the usernames are in the form "[EMAIL PROTECTED]"
> Is it possible to create principals in the form
> "user/[EMAIL PROTECTED]@REALM.NAME," and if not, is there a
> workaround? Or am I perhaps misunderstanding the whole thing terribly?

as far as I know, you could have principals like
"user/[EMAIL PROTECTED]". Why would you like to have the whole mail
address in the second part of the principal?

Regards,

Sebastian

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Openssh, kerberos and Solaris 10

[Markus Moeller]

There shouldn't be the need of compiling openssh with Kerberos as the 
Solaris 10 version supports GSSAPI authentication.

Markus

"Erich Weiler" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Hi all-
>
> I'm not sure this is the correct place to post about this but I'm
> getting no response over an OpenSSH.org, if there is a more appropriate
> place to post please let me know...  And the people at Sun scream at me
> for even considering openssh when they supply their own version of SSH
> which I'm not extremely fond of.
>
> Basically I'd like to compile OpenSSH with Kerberos support on Solaris
> 10.  Solaris 10 comes with SEAM, Sun's port of MIT Kerberos.  SEAM works
> great, no problem there.  My problem is:  Does anyone know how to
> compile openssh on Solaris with native SEAM kerberos support?  There is
> a --with-kerberos=/dir compile time option with openssh but Sun doesn't
> seem the have a single "directory" that they keep their kerberos
> libraries in...  Not even sure they have GSSAPI at all, maybe just GSS?
>  Does anyone have any hints on this, or has anyone ever done it?  Or
> maybe a better place to post?
>
> ciao, erich
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos